Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sa-17

developer security architecture and design

assessment objective:

Determine if the organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that:

sa-17(a)

is consistent with and supportive of the organization’s security architecture which is established within and is an integrated part of the organization’s enterprise architecture;

sa-17(b)

accurately and completely describes:

sa-17(b)[1]

the required security functionality;

sa-17(b)[2]

the allocation of security controls among physical and logical components; and

sa-17(c)

expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; enterprise architecture policy; procedures addressing developer security architecture and design specification for the information system; solicitation documentation; acquisition documentation; service-level agreements; acquisition contracts for the information system, system component, or information system service; design specification and security architecture documentation for the system; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [select from: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; system developer; organizational personnel with security architecture and design responsibilities].